Hello, hopefully this is the right part of the forum to post this. I am trying to learn more about a career in penetration testing. I was wondering, do testers tend to specialize in either Network penetration testing or Application penetration testing, or do they tend to do both?

There are folks that go one direction or another, and there are folks who are more rounded and do both. I'd suggest, at least initially, that you explore both, but focus your time in whichever area is your 'strong suit', then, once you get a feel for things, decide whether to be a generalist, or continue to focus in a specific area.

I consider myself a solid / strong generalist, but I have no issue teaming with folks whom I know are specialists in a given realm, if it means that A.) I'm free to focus on certain areas for a given test, and B.) the overall result can be more detailed and 'all inclusive' for certain engagements.

Hope that makes sense.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I agree with Hayabusa, you should start with both and maybe do like I did, learn more and more in "layers". What I mean by that is to learn the basic of both and once you are starting to understand what you are talking about, go a little more deeper in both, then do this again and again and again.

I personally believe that a very good network penetration tester who has no clue what SQL Injection is, then this person is a poor pentester. On the other hand, someone who knows a lot about application vulnerabilities but has no idea what a reverse proxy is, may not be able to test or leverage vulnerabilities in his applications.

Thank you for your answers and Happy New Year. I am currently an (web) application developer considering moving into security, so the application side is much easier for me to understand but I'll definitely try to learn the basics of both.

I am also a Web Application Developer (Java) and I started about 5 years ago studying information security.

I could probably give you a few hints...

My path was:1- GSEC (very good certification to learn the basic)2- CEH (also a good base, bore "attack-oriented" than GSEC)3- Worked -- A LOT -- on OSCP, but didn't pass the exam. Learn a lot of new things. PWB is the best course I have ever taken. Worth every penny.4- GPEN (quite easy after having worked on OSCP...)5- CISSP (A must have to work, but the worse exam I have ever written...)6- GWAPT (My first web application certification, because I already knew a lot on the subject and wanted a cert to back my experience)

But my goal is to be a pentester, not a manager. So you may feel that a different path would be better for you. But to me, GSEC than OSCP will give you a strong base in information security, regardless which "specialization" you choose.

Keep posting your questions on this forum, we are lucky to have experts in every field!

In my limited experience, the level of specialization required of a pentester is directly proportional to the size of the consulting firm you work for. The bigger the firm, the more specialization you can have. Smaller firms tend to need consultants that can do a lot of things well.

With some time ago I've got an interview for a pentesting position into NZ.

Two younger and nice guys discussed with me in one and a half hour different technical aspects and attacking vector details from Wifi until OWASP Top 10.

Later on I found that one from them is well known into underground world and he works mainly as a freelancer.

However, at some point I asked them how much do their care about certifications and they let me know that into the pen-testing world all it matters is to gain root into the systems, whatever you have or have not specific certification.

The interview ends with the invite to proof my skills into their virtual lab which it seems for me the very fair method to get eventually the job.

I'm not a natural born hacker or something and I needed / I need to learn all the time. I'm not good or bad but but just guided by Edison motto:

"Genius means 1% inspiration and 99% effort"...more or less

Bottom line, in my opinion, you should learn from pleasure and if this learning activity can gets you some paper too then why not?

Bottom line, in my opinion, you should learn from pleasure and if this learning activity can gets you some paper too then why not?

And for many of us, "pleasure" turned to "pain" before going back to "pleasure" again...

All jokes aside, Amidamaru is right: if you don't love it, you can't spend the required effort into it. You just need to go one bite at a time. You're interested in wifi? Have fun for a few weeks exploring that. Then switch your interest on whatever interests you at that time. I think it's a nice way of not getting overwelm by all the materials that needs to be learn...

Bottom line, in my opinion, you should learn from pleasure and if this learning activity can gets you some paper too then why not?

And for many of us, "pleasure" turned to "pain" before going back to "pleasure" again...

All jokes aside, Amidamaru is right: if you don't love it, you can't spend the required effort into it. You just need to go one bite at a time. You're interested in wifi? Have fun for a few weeks exploring that. Then switch your interest on whatever interests you at that time. I think it's a nice way of not getting overwelm by all the materials that needs to be learn...

It is true, you became overwelm with a lot of fields in security, one bit at the time.

TAnarchy wrote:Hello, hopefully this is the right part of the forum to post this. I am trying to learn more about a career in penetration testing. I was wondering, do testers tend to specialize in either Network penetration testing or Application penetration testing, or do they tend to do both?

Often they specialize in application (i.e. program) security or web application security, where network security is another part as well. There are of course, those who specialize in network security only, but they are often security engineers and not penetration testers, unless they attack the protocols themselves.

In my current job, we have people in those 3 fields, plus other mandatory fields for everyone, such as but not limited to wireless security, physical security (social engineering), PCI (that's another team), etc.

So yeah, I forgot to mention people specialize in PCI as well, but that's not penetration testing though, even though some parts of it is related somewhat when you have to check whether a client is in PCI scope or not.

amolarakh wrote:According to mePentester is Professional Entity which knows everything about Network/Infrastructure/Application/Physical Security for a client. And knows nothing about that client for outsider.

It is impossible to know "everything". No matter how many years, no matter how much experience you got, there will always be old, perhaps extremely old, new, or very new things, even current things you will not know about.

I often see people extremely skilled in application security (reverse engineering, buffer overflows, heap overflows, dep, rop, aslr, etc), who are brilliant in this field, but lacks knowledge in web application security. (Often crucial and specialist understanding of how everything can be tied together, including many of the possible attack vectors. Knowing the most basic ways can be taught to anyone, even non-hackers.)